<!DOCTYPE HTML>

<html lang="en">
<head>

<title>SessionFixationProtectionStrategy (spring-security-docs 5.6.3 API)</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="../../../../../../stylesheet.css" title="Style">
<link rel="stylesheet" type="text/css" href="../../../../../../jquery/jquery-ui.css" title="Style">
<script type="text/javascript" src="../../../../../../script.js"></script>
<script type="text/javascript" src="../../../../../../jquery/jszip/dist/jszip.min.js"></script>
<script type="text/javascript" src="../../../../../../jquery/jszip-utils/dist/jszip-utils.min.js"></script>
<!--[if IE]>
<script type="text/javascript" src="../../../../../../jquery/jszip-utils/dist/jszip-utils-ie.min.js"></script>
<![endif]-->
<script type="text/javascript" src="../../../../../../jquery/jquery-3.5.1.js"></script>
<script type="text/javascript" src="../../../../../../jquery/jquery-ui.js"></script>
</head>
<body>
<script type="text/javascript"><!--
    try {
        if (location.href.indexOf('is-external=true') == -1) {
            parent.document.title="SessionFixationProtectionStrategy (spring-security-docs 5.6.3 API)";
        }
    }
    catch(err) {
    }
//-->
var data = {"i0":10,"i1":10};
var tabs = {65535:["t0","All Methods"],2:["t2","Instance Methods"],8:["t4","Concrete Methods"]};
var altColor = "altColor";
var rowColor = "rowColor";
var tableTab = "tableTab";
var activeTableTab = "activeTableTab";
var pathtoroot = "../../../../../../";
var useModuleDirectories = true;
loadScripts(document, 'script');</script>
<noscript>
<div>JavaScript is disabled on your browser.</div>
</noscript>
<header role="banner">
<nav role="navigation">
<div class="fixedNav">

<div class="topNav"><a id="navbar.top">

</a>
<div class="skipNav"><a href="SessionFixationProtectionStrategy.html#skip.navbar.top" title="Skip navigation links">Skip navigation links</a></div>
<a id="navbar.top.firstrow">

</a>
<ul class="navList" title="Navigation">
<li><a href="../../../../../../index.html">Overview</a></li>
<li><a href="package-summary.html">Package</a></li>
<li class="navBarCell1Rev">Class</li>
<li><a href="package-tree.html">Tree</a></li>
<li><a href="../../../../../../deprecated-list.html">Deprecated</a></li>
<li><a href="../../../../../../index-all.html">Index</a></li>
<li><a href="../../../../../../help-doc.html">Help</a></li>
</ul>
</div>
<div class="subNav">
<ul class="navList" id="allclasses_navbar_top">
<li><a href="../../../../../../allclasses.html">All&nbsp;Classes</a></li>
</ul>
<ul class="navListSearch">
<li><label for="search">SEARCH:</label>
<input type="text" id="search" value="search" disabled="disabled">
<input type="reset" id="reset" value="reset" disabled="disabled">
</li>
</ul>
<div>
<script type="text/javascript"><!--
  allClassesLink = document.getElementById("allclasses_navbar_top");
  if(window==top) {
    allClassesLink.style.display = "block";
  }
  else {
    allClassesLink.style.display = "none";
  }
  //-->
</script>
<noscript>
<div>JavaScript is disabled on your browser.</div>
</noscript>
</div>
<div>
<ul class="subNavList">
<li>Summary:&nbsp;</li>
<li><a href="SessionFixationProtectionStrategy.html#nested.class.summary">Nested</a>&nbsp;|&nbsp;</li>
<li><a href="SessionFixationProtectionStrategy.html#field.summary">Field</a>&nbsp;|&nbsp;</li>
<li><a href="SessionFixationProtectionStrategy.html#constructor.summary">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="SessionFixationProtectionStrategy.html#method.summary">Method</a></li>
</ul>
<ul class="subNavList">
<li>Detail:&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="SessionFixationProtectionStrategy.html#constructor.detail">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="SessionFixationProtectionStrategy.html#method.detail">Method</a></li>
</ul>
</div>
<a id="skip.navbar.top">

</a></div>

</div>
<div class="navPadding">&nbsp;</div>
<script type="text/javascript"><!--
$('.navPadding').css('padding-top', $('.fixedNav').css("height"));
//-->
</script>
</nav>
</header>

<main role="main">
<div class="header">
<div class="subTitle"><span class="packageLabelInType">Package</span>&nbsp;<a href="package-summary.html">org.springframework.security.web.authentication.session</a></div>
<h2 title="Class SessionFixationProtectionStrategy" class="title">Class SessionFixationProtectionStrategy</h2>
</div>
<div class="contentContainer">
<ul class="inheritance">
<li>java.lang.Object</li>
<li>
<ul class="inheritance">
<li><a href="AbstractSessionFixationProtectionStrategy.html" title="class in org.springframework.security.web.authentication.session">org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy</a></li>
<li>
<ul class="inheritance">
<li>org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy</li>
</ul>
</li>
</ul>
</li>
</ul>
<div class="description">
<ul class="blockList">
<li class="blockList">
<dl>
<dt>All Implemented Interfaces:</dt>
<dd><code>org.springframework.beans.factory.Aware</code>, <code>org.springframework.context.ApplicationEventPublisherAware</code>, <code><a href="SessionAuthenticationStrategy.html" title="interface in org.springframework.security.web.authentication.session">SessionAuthenticationStrategy</a></code></dd>
</dl>
<hr>
<pre>public class <span class="typeNameLabel">SessionFixationProtectionStrategy</span>
extends <a href="AbstractSessionFixationProtectionStrategy.html" title="class in org.springframework.security.web.authentication.session">AbstractSessionFixationProtectionStrategy</a></pre>
<div class="block">Uses <code>HttpServletRequest.invalidate()</code> to protect against session fixation
attacks.
<p>
Creates a new session for the newly authenticated user if they already have a session
(as a defence against session-fixation protection attacks), and copies their session
attributes across to the new session. The copying of the attributes can be disabled by
setting <code>migrateSessionAttributes</code> to <code>false</code> (note that even in this case,
internal Spring Security attributes will still be migrated to the new session).
<p>
This approach will only be effective if your servlet container always assigns a new
session Id when a session is invalidated and a new session created by calling
<code>HttpServletRequest.getSession()</code>.
<p>
<h3>Issues with <code>HttpSessionBindingListener</code></h3>
<p>
The migration of existing attributes to the newly-created session may cause problems if
any of the objects implement the <code>HttpSessionBindingListener</code> interface in a way
which makes assumptions about the life-cycle of the object. An example is the use of
Spring session-scoped beans, where the initial removal of the bean from the session
will cause the <code>DisposableBean</code> interface to be invoked, in the assumption that
the bean is no longer required.
<p>
We'd recommend that you take account of this when designing your application and do not
store attributes which may not function correctly when they are removed and then placed
back in the session. Alternatively, you should customize the
<code>SessionAuthenticationStrategy</code> to deal with the issue in an application-specific
way.</div>
<dl>
<dt><span class="simpleTagLabel">Since:</span></dt>
<dd>3.0</dd>
</dl>
</li>
</ul>
</div>
<div class="summary">
<ul class="blockList">
<li class="blockList">

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="nested.class.summary">

</a>
<h3>Nested Class Summary</h3>
<ul class="blockList">
<li class="blockList"><a id="nested.classes.inherited.from.class.org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy">

</a>
<h3>Nested classes/interfaces inherited from class&nbsp;org.springframework.security.web.authentication.session.<a href="AbstractSessionFixationProtectionStrategy.html" title="class in org.springframework.security.web.authentication.session">AbstractSessionFixationProtectionStrategy</a></h3>
<code><a href="AbstractSessionFixationProtectionStrategy.NullEventPublisher.html" title="class in org.springframework.security.web.authentication.session">AbstractSessionFixationProtectionStrategy.NullEventPublisher</a></code></li>
</ul>
</li>
</ul>
</section>

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="field.summary">

</a>
<h3>Field Summary</h3>
<ul class="blockList">
<li class="blockList"><a id="fields.inherited.from.class.org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy">

</a>
<h3>Fields inherited from class&nbsp;org.springframework.security.web.authentication.session.<a href="AbstractSessionFixationProtectionStrategy.html" title="class in org.springframework.security.web.authentication.session">AbstractSessionFixationProtectionStrategy</a></h3>
<code><a href="AbstractSessionFixationProtectionStrategy.html#logger">logger</a></code></li>
</ul>
</li>
</ul>
</section>

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="constructor.summary">

</a>
<h3>Constructor Summary</h3>
<table class="memberSummary">
<caption><span>Constructors</span><span class="tabEnd">&nbsp;</span></caption>
<tr>
<th class="colFirst" scope="col">Constructor</th>
<th class="colLast" scope="col">Description</th>
</tr>
<tr class="altColor">
<th class="colConstructorName" scope="row"><code><span class="memberNameLink"><a href="SessionFixationProtectionStrategy.html#%3Cinit%3E()">SessionFixationProtectionStrategy</a></span>()</code></th>
<td class="colLast">&nbsp;</td>
</tr>
</table>
</li>
</ul>
</section>

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="method.summary">

</a>
<h3>Method Summary</h3>
<table class="memberSummary">
<caption><span id="t0" class="activeTableTab"><span>All Methods</span><span class="tabEnd">&nbsp;</span></span><span id="t2" class="tableTab"><span><a href="javascript:show(2);">Instance Methods</a></span><span class="tabEnd">&nbsp;</span></span><span id="t4" class="tableTab"><span><a href="javascript:show(8);">Concrete Methods</a></span><span class="tabEnd">&nbsp;</span></span></caption>
<tr>
<th class="colFirst" scope="col">Modifier and Type</th>
<th class="colSecond" scope="col">Method</th>
<th class="colLast" scope="col">Description</th>
</tr>
<tr id="i0" class="altColor">
<td class="colFirst"><code>protected java.util.Map&lt;java.lang.String,&#8203;java.lang.Object&gt;</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="SessionFixationProtectionStrategy.html#extractAttributes(javax.servlet.http.HttpSession)">extractAttributes</a></span>&#8203;(javax.servlet.http.HttpSession&nbsp;session)</code></th>
<td class="colLast">
<div class="block">Called to extract the existing attributes from the session, prior to invalidating
it.</div>
</td>
</tr>
<tr id="i1" class="rowColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="SessionFixationProtectionStrategy.html#setMigrateSessionAttributes(boolean)">setMigrateSessionAttributes</a></span>&#8203;(boolean&nbsp;migrateSessionAttributes)</code></th>
<td class="colLast">
<div class="block">Defines whether attributes should be migrated to a new session or not.</div>
</td>
</tr>
</table>
<ul class="blockList">
<li class="blockList"><a id="methods.inherited.from.class.org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy">

</a>
<h3>Methods inherited from class&nbsp;org.springframework.security.web.authentication.session.<a href="AbstractSessionFixationProtectionStrategy.html" title="class in org.springframework.security.web.authentication.session">AbstractSessionFixationProtectionStrategy</a></h3>
<code><a href="AbstractSessionFixationProtectionStrategy.html#onAuthentication(org.springframework.security.core.Authentication,javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)">onAuthentication</a>, <a href="AbstractSessionFixationProtectionStrategy.html#onSessionChange(java.lang.String,javax.servlet.http.HttpSession,org.springframework.security.core.Authentication)">onSessionChange</a>, <a href="AbstractSessionFixationProtectionStrategy.html#setAlwaysCreateSession(boolean)">setAlwaysCreateSession</a>, <a href="AbstractSessionFixationProtectionStrategy.html#setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher)">setApplicationEventPublisher</a></code></li>
</ul>
<ul class="blockList">
<li class="blockList"><a id="methods.inherited.from.class.java.lang.Object">

</a>
<h3>Methods inherited from class&nbsp;java.lang.Object</h3>
<code>clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait</code></li>
</ul>
</li>
</ul>
</section>
</li>
</ul>
</div>
<div class="details">
<ul class="blockList">
<li class="blockList">

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="constructor.detail">

</a>
<h3>Constructor Detail</h3>
<a id="&lt;init&gt;()">

</a>
<ul class="blockListLast">
<li class="blockList">
<h4>SessionFixationProtectionStrategy</h4>
<pre>public&nbsp;SessionFixationProtectionStrategy()</pre>
</li>
</ul>
</li>
</ul>
</section>

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="method.detail">

</a>
<h3>Method Detail</h3>
<a id="extractAttributes(javax.servlet.http.HttpSession)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>extractAttributes</h4>
<pre class="methodSignature">protected&nbsp;java.util.Map&lt;java.lang.String,&#8203;java.lang.Object&gt;&nbsp;extractAttributes&#8203;(javax.servlet.http.HttpSession&nbsp;session)</pre>
<div class="block">Called to extract the existing attributes from the session, prior to invalidating
it. If <code>migrateAttributes</code> is set to <code>false</code>, only Spring Security
attributes will be retained. All application attributes will be discarded.
<p>
You can override this method to control exactly what is transferred to the new
session.</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>session</code> - the session from which the attributes should be extracted</dd>
<dt><span class="returnLabel">Returns:</span></dt>
<dd>the map of session attributes which should be transferred to the new
session</dd>
</dl>
</li>
</ul>
<a id="setMigrateSessionAttributes(boolean)">

</a>
<ul class="blockListLast">
<li class="blockList">
<h4>setMigrateSessionAttributes</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setMigrateSessionAttributes&#8203;(boolean&nbsp;migrateSessionAttributes)</pre>
<div class="block">Defines whether attributes should be migrated to a new session or not. Has no
effect if you override the <code>extractAttributes</code> method.
<p>
Attributes used by Spring Security (to store cached requests, for example) will
still be retained by default, even if you set this value to <code>false</code>.</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>migrateSessionAttributes</code> - whether the attributes from the session should be
transferred to the new, authenticated session.</dd>
</dl>
</li>
</ul>
</li>
</ul>
</section>
</li>
</ul>
</div>
</div>
</main>

<footer role="contentinfo">
<nav role="navigation">

<div class="bottomNav"><a id="navbar.bottom">

</a>
<div class="skipNav"><a href="SessionFixationProtectionStrategy.html#skip.navbar.bottom" title="Skip navigation links">Skip navigation links</a></div>
<a id="navbar.bottom.firstrow">

</a>
<ul class="navList" title="Navigation">
<li><a href="../../../../../../index.html">Overview</a></li>
<li><a href="package-summary.html">Package</a></li>
<li class="navBarCell1Rev">Class</li>
<li><a href="package-tree.html">Tree</a></li>
<li><a href="../../../../../../deprecated-list.html">Deprecated</a></li>
<li><a href="../../../../../../index-all.html">Index</a></li>
<li><a href="../../../../../../help-doc.html">Help</a></li>
</ul>
</div>
<div class="subNav">
<ul class="navList" id="allclasses_navbar_bottom">
<li><a href="../../../../../../allclasses.html">All&nbsp;Classes</a></li>
</ul>
<div>
<script type="text/javascript"><!--
  allClassesLink = document.getElementById("allclasses_navbar_bottom");
  if(window==top) {
    allClassesLink.style.display = "block";
  }
  else {
    allClassesLink.style.display = "none";
  }
  //-->
</script>
<noscript>
<div>JavaScript is disabled on your browser.</div>
</noscript>
</div>
<div>
<ul class="subNavList">
<li>Summary:&nbsp;</li>
<li><a href="SessionFixationProtectionStrategy.html#nested.class.summary">Nested</a>&nbsp;|&nbsp;</li>
<li><a href="SessionFixationProtectionStrategy.html#field.summary">Field</a>&nbsp;|&nbsp;</li>
<li><a href="SessionFixationProtectionStrategy.html#constructor.summary">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="SessionFixationProtectionStrategy.html#method.summary">Method</a></li>
</ul>
<ul class="subNavList">
<li>Detail:&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="SessionFixationProtectionStrategy.html#constructor.detail">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="SessionFixationProtectionStrategy.html#method.detail">Method</a></li>
</ul>
</div>
<a id="skip.navbar.bottom">

</a></div>

</nav>
</footer>
<script>if (window.parent == window) {(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})(window,document,'script','//www.google-analytics.com/analytics.js','ga');ga('create', 'UA-2728886-23', 'auto', {'siteSpeedSampleRate': 100});ga('send', 'pageview');}</script><script defer src="https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194" integrity="sha512-Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==" data-cf-beacon='{"rayId":"7040d0e7cb0c980c","token":"bffcb8a918ae4755926f76178bfbd26b","version":"2021.12.0","si":100}' crossorigin="anonymous"></script>
</body>
</html>
